DeconstruCT.F 2023 - Missing
Description
Category: OSINT
Jason todd went missing and all alfred was able to recover from his pc was this file Help Alfred find Jason
Hint
Rule 3 does not apply here. Bruteforce is allowed
Resolution
1. Crack the rar
We have an encrypted jason.rar archive.
We crack it with John the Ripper:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ ./rar2john jason.rar > hash
$ john hash --wordlist=rockyou.txt
Warning: detected hash type "RAR5", but the string is also recognized as "RAR5-opencl"
Use the "--format=RAR5-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 56 password hashes with no different salts (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
1983 (jason.rar)
56g 0:00:01:48 DONE (2023-08-05 22:37) 0.5138g/s 439.2p/s 439.2c/s 24597C/s 290392..01011985
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
2. Git commit history
Now that we have the password, we can decrypt the archive.
In the archive we have 2 directories:
cryptic-tod-securenothing_here_to_look_at
We went inside nothing_here_to_look_at and searched for info.
The only notable file is empty.txt which seemed to contain a link:
1
2
3
4
this link might be interesting
...
find my github pages site that i accidentaly deleted to find what u want :P
...
Since there is a .git directory, we can see the history with git log:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ git log
commit 65e36b3f6fc7baa97fdb17ae17d4d0ab2ac9ff71 (HEAD -> main, origin/main, origin/HEAD)
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Wed Jun 1 17:33:30 2022 +0530
Create encoded.txt
commit c707cc578d25efe99348ed9e267156a8203224ae
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Wed Jun 1 17:32:13 2022 +0530
Create secret.txt
commit 38daa614da04a03b6c02149504bda43d56dcbd8a
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Sat May 28 11:41:55 2022 +0530
Update empty.txt
commit f50086b592f94cc8d05f9b1dde2eeb10d6c4713c
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Fri May 27 11:52:07 2022 +0530
something for u
We switch to an older version of the repo when empty.txt hasn’t been modified:
1
2
$ git restore .
$ git checkout f50086b592f94cc8d05f9b1dde2eeb10d6c4713c
Now we open empty.txt and there is a base64 encoded string:
1
aHR0cHM6Ly93d3cuaW5zdGFncmFtLmNvbS90b2RkX2phc29uX3NlY3VyZS8=
Which once decode gives us a link: https://www.instagram.com/todd_jason_secure/.
3. Instagram account
Since I don’t have an Instagram account, I used Picuki to see the profile:
There are two posts:
We get the first part of the flag in the second post: dsc{h4vINg_FuN_w1.
In the first post, there are 13 comments and one of them indicates us the next step:
4. Twitter account
For this step, you need a Twitter account.
On Twitter we search for todd_jason_secure:
We find the tweet which gives us the second part of the flag:
The second part of the flag is base32 encoded. Once decoded, we have: 7h_O5INT_@Nd_m4p5}.
And finally we get the flag: dsc{h4vINg_FuN_w17h_O5INT_@Nd_m4p5}.